Well, here I am again. I’ve been coming to BlackHat/Defcon for over a decade now. And this is my 4th year teaching a class I call “Application Security: For Hackers and Developers”. In my class we cover source code auditing, fuzzing, reverse engineering, and exploit development. These skills are needed by hackers so that they […]

At Black Hat USA 2013 the Bromium Labs team will demonstrate a second fundamental design flaw present in all Windows sandboxes (sometimes called “software virtual containers”). The flaw allows malware to escape user-space containment and compromise an endpoint that is equipped with a full suite of traditional endpoint protection software. Our demonstration exploits a (known, patched) […]

I’m excited to announce a new research report from Bromium Labs, written by myself and Rafal Wojtczuk. It ended up being far more comprehensive than we initially thought, so we decided to call it “Application Sandboxes: A Pen Tester’s Perspective”. In this report we perform security evaluation of publicly available application sandboxes viz: Google Chrome, Adobe Reader, […]

It’s become cool, particularly among those that sport Macs, to scoff at Java and pretend that it’s an anachronism that the world doesn’t need. Perhaps it’s a re-enactment by the Apple faithful of Steve Jobs’s disdain for Flash, spurred by Apple’s removal of Java as a default plugin for Safari after Apple itself was compromised […]

Bromium Labs – a security research organization within Bromium whose charter is to serve enterprise security teams – providing research and analysis of security technologies, attack strategies and specific threats. We would like you to have the tools and knowledge to be able to critically examine new and old security widgets in their ability to deal […]

According to Gartner’s recent report: “Strategies for Dealing With Advanced Targeted Attacks”, we’re in the eye of a five years’ storm; a pwnado (or would you prefer malwarricane? vulncano?). However, the strategies being adopted by many enterprise InfoSec /OpSec teams to combat these threats often suffer from survivorship bias, packaged by security vendors under the […]

We’re in the second half of the year, which means a long array of tradeshows is now behind us. On the heels of the most recent events I’ve attended, Gartner Security and Risk Management Summit, and IANS Dallas – both excellent shows attended by an impressive array of information security brass – I realized that […]